So I have an ASP.Net MVC site and I was wondering if it was possible at all to make it so users will have to enter in their passwords manually so its not auto filled for them by the browser? It seems like a simple thing to ask, but googling this I just get instructions on how a client can disable their prompt.
I've never used it for this, but there is an autocomplete property that when disabled will tell the browser not to store any information from the password field :
If AutoComplete is disabled, values
are not stored and suggested values
are not presented.
http://msdn.microsoft.com/en-us/library/ms533486(VS.85).aspx
<INPUT TYPE="password" AUTOCOMPLETE="off">
I've used it for normal text fields for credit card numbers and such. But I didn't realize this would work for the password fields as well. You might want to try it in other browsers besides IE though to be sure.
UPDATE: Looks like this works in both Firefox and Chrome.
If you explicitly set value="" It will not be remembered. This is how my bank does it. You can also set the autocomplete property.
Related
I have an application, where a normal login is present. Once login, user can create other users and we have forms with username and password fields present in those forms.
Now my problem is, when login in the application and browser asks for remember password. If I say Yes and then I go to create other users then the forms show with the username password already filled that I used for login.
I want to remember password for the main login form but don't want those to display when I am creating other users. This is mainly coming in chrome. Might come in other browsers on in mobile browser as well.
I tried clearing the text box on document ready and setting autocomplete to off for the form. but didn't work out. If I remove the type="password" attribute from the password textbox, then the browser doesn't auto fill the username/password textbox but that causes the password to display.
Any suggestion to overcome this issue are welcome.
use AutoComplete=off
The autocomplete attribute specifies whether or not an input field should have autocomplete enabled.
<input type="email" name="email" autocomplete="off">
Autocomplete allows the browser to predict the value. When a user starts to type in a field, the browser should display options to fill in the field, based on earlier typed values.
Note: The autocomplete attribute works with the following types: text, search, url, tel, email, password, datepickers, range, and color.
Update
apparently chrome ignores autocomplete="off"
This question will help you with that
Chrome Browser Ignoring AutoComplete=Off
Update 3
There is also another solution that works for people to and that is use autocomplete="false"
ref w3school
You can't tell the browser to only auto fill one set of usernames and passwords! Any sort of instructions to the browser regarding user names and passwords would be a security risk.
Your best bet would be to have the input controls have different ids and names so that the browser does not think this is the same form that it has saved information for.
I have completed the source code scan (ASP) using the Fortify source code scanner.
Many hidden fields shows as a vulnerability. Like this one:
<input type="hidden" name="ToSave" value="0" />
How do I fix this issue to receive a passing test?
Thanks in advance
Mahesh
If this is application state and is not modified by the user:
Passing application state thru the browser is always a bad idea and is one of the first things that the hacker will exploit.
If this is application state: use proper ASP session management and save the session state on the server when you send the page to the user, and look up the session state on the server when the request is returned. In ASP.NET with C# you might do something like this:
Session(“ToSave”) = false;
When you send the response to the browser (e.g. send the page). Then, when you get the request back, because you’re using ASPs session management, session will have the state that you set.
If this is not application state but is a hidden field that is calculated by JavaScript in the browser and is used on the server side:
Please look at the design of the application. I do a ton of these code reviews and usually find that the application is doing something in JavaScript that should only be done on the server side. One example would be calculating the score of a test on the form putting that score in a hidden field and accepting that field on the server. Another example would be calculating the ‘next’ page in a flow and putting a marker in a hidden field. If you want to provide something like a score on the browser for user convenience use that's fine but make the official calculation (and decision, if applicable) on the server.
An attacker can easily see these values and create a request that would break your application, or worse, get the attacker something that he or she did not deserve.
In any case hidden fields are cached on the browser just as any pages are cached so it might not be wise to use hidden fields if they contain data you expect the user to not be able to see.
So, bottom line, I would agree that you shouldn't use hidden fields.
helping my friend with his old ASP site and ran into an issue so I wanted to throw this out to see if i can get some help.
The site basically needs to POST data to another page which it's doing fine. The problem is that it's needs to POST the username/password to the receiving page and the site is currently holding that in hidden fields which is obviously no good since you can see it in the source code.
How can you pull the data in on the ASP page without having it hidden in an input field? I know it can get stored as a variable but then I can't POST it and if I put that variable in an input value field it shows up in the source.
Any help would be appreciated.
Thanks!
it needs to POST the username/password to the receiving page
No it doesn't. :)
If the two pages are part of the same site, use the Session object.
If the two pages are on different sites, things are trickier, but the idea is similar. I'm guessing this isn't the case for you, but if it is, look at OAuth. (For example, when you log in here, you use authentication from another site, but stackoverflow never sees your password for that site. Same idea.)
Create a database table that looks like
uniqueidentifier SessionId
varchar Username
varchar Password
Store the SessionId in the cookie with Response.Cookies.
Get the SessionId from the cookie in JavaScript, and send an ajax request to a page that gets the username and password from the database using the SessionId and outputs the values in JSON. Attach the values with javascript to a hidden field. You will still appear to be getting a value from the hidden field on the page that receives the form post, but if a user views the page source it would just say something like <input type="hidden" id="username" name="username" value="DefaultUserNameValue" />. The value will be assigned dynamically using javascript, which is not visible to the User.
There is similar question like this for ASP.net, but I wanted to know if there is a 'relatively' easy way to do this on RoR.
I have a field for "Price" where I want the user to only type in numbers. This means that when the user tries to type in anything else, my web app shouldn't let them (nothing should happen).
If this isn't possible, I guess I can just validate my data after the user has submitted the "Submit" button and then flash a message that says "'Price' must be a number."
Thank you for your time,
JHS
This requires a javascript solution (since you want the check to occur client-side) so it will depend on which javascript framework you are using. If you are using jQuery this is a nice one that will do exactly what you need: Numeric
as everyone already mentioned this requires a javascript solution. you can use the following regex to test that only numbers are given
/^[0-9]+$/
tie that to an onKeyUp event handler and you can validate the input client side
So I've inherited this legacy rails codebase and there's a bug i need to fix where a given form is retaining values (that have not yet been saved to the DB) even after Page Refresh.
Use Case:
User fills data in form but does not press submit.
User Clicks refresh button on browser.
The Values in the form are retained instead of refreshing the whole page.
Any ideas where I can start looking? In my brief, limited Rails experience, this is not the sort of thing that happens by default, so it must be coded somewhere?
Sometimes browsers will do this. (I'm not talking about auto-fill drop-downs, which browsers also do... just talking about forms that are partially filled out, never submitted, and are then refreshed).
Make sure the values in the fields are actually coming from your Rails app by checking the HTML source window.
Values provided by the browser due to previous entry won't be in the VALUE attribute, but server-provided ones will be.
Some options for avoiding this might be:
Send the user to the form using a POST. Thus, any refresh results in a "do you want to resubmit" etc. I don't think the browser will pre-fill any fields in this situation (same as when a user posts and then hits the back button).
Use the onload() event to wipe out the form field values.
There's probably a simpler solution... Ctrl-F5 sometimes does the trick, but I think I've seen even that not work before.
Tell user to press CTRL+F5
--
edit
if you can't tell the user to press CTRL+F5 (which always in my experience works unless the browser is buggy, or unless something else is going wrong), just trip form.reset() in the onload event. This will clear the fields in the form to the default values. If you have default values in the fields though, (like <input type="text" value="enter name here" />) then when you trip .reset(), it will reset to the default value.
I just ran into this problem as well, and even <body onload="myform.reset()"> didn't work. This was particularly a problem because, for better or for worse, I'm using hidden inputs as counters (to keep track of a dynamic number of file upload fields, for example). These obviously need to be reset on reload to keep non-applicable warning messages from appearing. I "fixed" it for my in-house purposes by abandoning the reset button in favor of a link. Instead of <input type="reset"/> I'm using Reset (the filename is index.php). Far from elegant, but it works for my purposes.
I ran into this issue with a Rails 7 app. When navigating to a view with a form everything is blank, when I hit refresh all the inputs get filled by the browser (not by Rails). To keep the inputs blank I used the autocomplete attribute, which is supported by all modern browsers:
<!-- for the whole form -->
<form method="post" action="/form" autocomplete="off">
<!-- for a specific input element -->
<input type="text" id="foo" name="foo" autocomplete="off">